Think Your Phone Number on Facebook is Private? Not Likely

Facebook has a reverse lookup feature where users can lookup phone numbers to find people the number belongs to. Up until this week, that feature could be abused to look up thousands of numbers at once.

Facebook has patched the system that allowed a security researcher to lookup random phone numbers on Facebook and harvest the names of the people who own the numbers. Now a user can perform a limited number of reverse lookups from a given IP address, Facebook said.

Wait a minute, you may be asking, you can look up phone numbers on Facebook?

"The ability to search for a person by phone number is intentional behavior and not a bug in Facebook. By default, your privacy settings allow everyone to find you with search and friend finder using the contact info you have provided, such as your email address and phone number. You can modify these settings at any time from the Privacy Settings page," a Facebook spokesperson told SecurityWatch.

Reverse LookupLet's break that down a bit, shall we?

It turns out that you can type in a phone number in the top search bar, where you would normally type in a group name, topic, or a friend's name, and see the profile of the person who owns that number. Now, you may be thinking that the reverse lookup won't work for your phone number because you've used Facebook's inline privacy controls to restrict who can see that information? Think again.

"Even if you altered your privacy settings to ensure that your phone number is only visible to you, other people can still use it to look you up," Graham Cluley, a senior technology consultant at Sophos, wrote on the Naked Security blog.

In yet another example of how privacy settings can be confusing on Facebook, those inline controls on your Timeline (the one that you set to determine who can see your contact information such as phone number, email address, and address) have nothing to do with privacy, but visibility. Those controls just determine whether or not that information shows up on your Timeline. It doesn't mean the information is suppressed anywhere else on the social networking site, such as, say, reverse phone number lookup.

"When you edit settings on Timeline this only governs the visibility and you will need to modify your Privacy Settings to change the privacy of that information," a Facebook spokesperson told SecurityWatch.

The privacy option, the one that really tells Facebook, "hey, don't display my phone number to people," is under the Privacy Settings menu under the section "How You Connect." The relevant control, "Who can look you up using the email address or phone number you provided?" is by default, set to "Everyone."

I looked up a pretty security-conscious friend's phone number and found his profile. I asked him whether his phone number was public on the site or not, and he said he's restricted the number to be visible to only to his family members (a custom list he'd created) and members of his networks. I asked him to check the privacy option.

"Everyone," he said over instant message, and then added, "That's not good."

Since most people assume that setting the phone number or email address to private on the profile means that it’s, you know, private, very few realize, or know about, the other setting that also needs to be changed.

The Phone Number AbuseAs a result, it was possible to randomly enter phone numbers and harvest names and the associated Facebook photo of users associated with the number, independent security researcher Suriya Prakesh wrote in a blog post last Friday. Facebook didn't have any limits on how many numbers could be looked up, letting Prakesh write a script to look up 10,000 phone numbers at a time, according to the blog post. Prakesh did sequential lookups, just changing one digit at a time to see whether there was a user associated with that number.

Can you imagine how gleeful a telemarketer would be to have this information?

"Connecting a person’s phone number to a name is what every advertiser dreams of, and these sort of lists would fetch a LARGE price in the black market," Prakesh wrote.

Prakesh also estimated that someone with a big enough botnet (100,000 machines) and a script would take only a few days to go through the 600 million or so Facebook users who have a mobile phone.

Facebook tweaked the system on Wednesday, and Prakesh confirmed it is no longer possible to do mass-scale lookups.

"Facebook has developed an extensive system for preventing the malicious usage of our search functionality and the scenario described by the researcher was indeed rate-limited and eventually blocked. We are constantly updating these systems to improve their effectiveness and address new kinds of attacks," the spokesperson for the social networking site said.

Want to make that phone number private? Head on over to the Privacy Settings and change "How You Connect" now! Also check out Neil Rubenking's helpful tips in "How to Lock Down Your Facebook Profile."

Automatic Renewal Program: Your subscription will continue without interruption for as long as you wish, unless
you instruct us otherwise. Your subscription will automatically renew at the end of the term unless you authorize
cancellation. Each year, you'll receive a notice and you authorize that your credit/debit card will be charged the
annual subscription rate(s). You may cancel at any time during your subscription and receive a full refund on all
unsent issues. If your credit/debit card or other billing method can not be charged, we will bill you directly instead. Contact Customer Service